+++ This bug was initially created as a clone of Bug #713518 +++
Created attachment 504902[details]
Patch to re-enable same-realm fallback for canonicalize errors
Description of problem:
Clients linked against Kerberos 1.9 fail against older KDCs that don't support canonicalize. This affects FNAL, since we have operational needs to keep KDC online, but want to allow folks running RHEL6 (and compatible) to connect.
Version-Release number of selected component (if applicable):
krb-1.9
How reproducible:
Always.
Steps to Reproduce:
1. kinit with an older (1.2?) KDC.
2. ssh using kerberos to another node.
Actual results:
debug1: Unspecified GSS failure. Minor code may provide more information
KDC can't fulfill requested option
Expected results:
Successful ssh connection
Additional info:
Here's the mail from Greg Hudson from the MIT Kerberos team:
Neither of these functions is used in the TGS request path. What
actually happened was a change in the fallback behavior when get_creds.c
was rewritten for 1.9. Previously, we would retry without the
canonicalize bit set any time we got an error from our first referral
request, but in 1.9 we only retry if we would be doing so in a different
realm.
The old fallback behavior will be restored in 1.9.2 (I just committed
the patch), but depending on your deployment scenario, it may be easier
to work around this problem by patching the KDC. It would be a very
simple patch to validate_tgs_request() in kdc_util.c.
I've attached Greg's patch. It applies cleanly (with fuzz) to 1.9-9, and I did some rudimentary testing at Fermilab which was successful.

Package krb5-1.9.1-5.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.9.1-5.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/krb5-1.9.1-5.fc15
then log in and leave karma (feedback).

I have tested this on both 32 bit and 64 bit Fedora 15.
I have successfully been able to log into Fermilab with both of them.
Thank you very much for the quick turnaround.
I will attempt to increase the karma of this, but I'm not sure if I have login rights on there, so if someone else wants to increase the Karma, that would be fine with me.